System and method for controlling usage of cryptographic keys

ABSTRACT

The subject matter discloses a computerized system for securing data, comprising a first node, comprising a first memory storage configured to store a first share of a cryptographic key and a communication module, a second node, in communication with the first node, comprising a second memory storage configured to store a second share of the cryptographic key, wherein the first share and the second share of the cryptographic key are required to perform a cryptographic operation using a multi-party computation (MPC) process, wherein the second node further comprises a control unit configured to change an operation mode of the second share from enable to disable, wherein the disable operation mode prevents performing the cryptographic operation using the MPC process.

CROSS REFERENCE TO RELATED APPLICATIONS

The present application claims the benefit of U.S. ProvisionalApplication No. 62/617,380, filed Jan. 15, 2018 the subject matter ofwhich is incorporated by reference in its entirety.

FIELD OF THE INVENTION

The present invention is generally related to data security, morespecifically to controlling usage of cryptographic keys.

BACKGROUND OF THE INVENTION

Attackers of secured online resources such as cloud storages wish toaccess the data encrypted in the secured online resources. Informationstored in secured online resources may also be compromised by governmentsubpoenas, which require cloud service providers that control theinfrastructure to decrypt the information. Those service providers areobliged to obey the subpoena, many times without notifying the customerwhose keys/data are sought after. In order to prevent attackers fromdecrypting the data encrypted and stored in the secured onlineresources, businesses need a solution that grants them full and solecontrol of their cryptographic keys at all times, so that thecryptographic keys and data can never be exposed during a breach.

Controlling the key in a cloud storage is considered to involve atradeoff between security and usability. HSM (hardware security module)solutions are more secure and limit usability, while usability is morethe focus when storing data in multiple cloud locations. Currentapproaches in key management in the cloud include a Key ManagementService (KMS) offered natively by a cloud service provider, Cloud HSMoffered by a cloud service provider, Bring Your Own Key (BYOK) and HoldYour Own Key (HYOK). One thing all the above approaches share is hardtradeoff between security and usability.

SUMMARY OF THE INVENTION

The subject matter discloses a solution for safely consumingInfrastructure as a service (IaaS) and Software as a service (SaaS)online storage and cloud services while retaining full control of themost sensitive cryptographic keys safeguarding sensitive data andapplications.

It is an object of the subject matter to disclose a computerized systemfor securing data, comprising a first node, comprising a first memorystorage configured to store a first share of a cryptographic key and acommunication module, a second node, in communication with the firstnode, comprising a second memory storage configured to store a secondshare of the cryptographic key, wherein the first share and the secondshare of the cryptographic key are required to perform a cryptographicoperation using a multi-party computation (MPC) process, wherein thesecond node further comprises a control unit configured to change anoperation mode of the second share from enable to disable, wherein thedisable operation mode prevents performing the cryptographic operationusing the MPC process.

In some cases, the first node is located on an online storage platformand the second node is located in a data center. In some cases, thesecond node further comprises a management interface configured toenable a user of the system to input a command to change the operationmode of the second share.

In some cases, the second node further comprises a log storageconfigured to store operations that require the second share. In somecases, the second node further comprises a processing module extractinginformation from the log storage and configured to determine irregularuse of the second share. In some cases, the processing module generatesa process for changing the operation mode of the second share fromenable to disable upon determination of the irregular use of the secondshare.

In some cases, the second node further comprises multiple differentshares of cryptographic keys, each of the shares is configured to enabledecryption of data in a different node communicating with the secondnode.

In some cases, the system further comprises a key share storageconfigured to store key shares of multiple containerized softwaremodules requesting access from the security server.

It is an object of the subject matter to disclose a method, comprisingobtaining a first node and a second node in communication with the firstnode, the first node comprises a first memory storage configured tostore a first share of an cryptographic key and a communication module,the second node comprises a second memory storage configured to store asecond share of the cryptographic key, performing a multi-partycomputation (MPC) process between a controlled computerized node andanother node using the first share and the second share, receiving acommand to change an operation mode of the key share, changing theoperation mode of the key share.

In some cases, the method further comprises storing usage log of the keyshare stored in the controlled node. In some cases, the method furthercomprises processing the usage log and identify irregular behavior inkey share usage.

In some cases, the command is received from an administrator devicereceiving the usage log of the key share. In some cases, changing theoperation mode of the key share disables the MPC process. In some cases,changing the operation mode of the key share comprises disablingcommunication between the controlled computerized node and the othernode. In some cases, changing the operation mode of the key sharecomprises deleting the key share from a memory of the controlledcomputerized node.

In some cases, the method further comprises a set up stage of the firstnode and the second node. In some cases, the method further comprisescopying an image of a known and malware-free hardened operating systeminto the first node and the second node. In some cases, the methodfurther comprises creating a temporary customer-controlled node andcopying the data stored at the temporary customer-controlled node to acustomer controlled location and creating a second customer-controllednode. In some cases, the method further comprises copying the datastored at the temporary customer-controlled node to the secondcustomer-controlled node. In some cases, the method further comprisesgenerating a Transport Layer Security (TLS) communication channelbetween the second customer-controlled node and the non-controlled node.

BRIEF DESCRIPTION OF THE FIGURES

Some embodiments of the invention are herein described, by way ofexample only, with reference to the accompanying drawings. With specificreference now to the drawings in detail, it is stressed that theparticulars shown are by way of example and for purposes of illustrativediscussion of embodiments of the invention. In this regard, thedescription taken with the drawings makes apparent to those skilled inthe art how embodiments of the invention may be practiced.

In the drawings:

FIG. 1A shows two nodes storing key shares used to perform MPC, one nodeis stored on premise, a key share of one node is controlled, accordingto exemplary embodiments of the present invention;

FIG. 1B shows two nodes storing key shares used to perform MPC, bothnodes are stored in the cloud, a key share of one node is controlled,according to exemplary embodiments of the present invention;

FIG. 2 shows a controlled node storing a key share used for an MPCprocess, according to exemplary embodiments of the subject matter;

FIG. 3 shows a method for controlling key shares in computerized nodes,according to exemplary embodiments of the subject matter; and,

FIG. 4 shows a method for set up stage of the nodes, according toexemplary embodiments of the subject matter.

DETAILED DESCRIPTION

The present invention discloses a system and method for methodcontrolling usage of cryptographic keys. The system comprises twocomputerized nodes, each node is located on a distinct entity andcomprises a share of a cryptographic key. The cryptographic may beencryption keys, signing keys and any other keys used for cryptography.Both shares are required to sign and/or encrypt and/or decryptinformation stored on at least one of the entities using a Multi-Partycomputation (MPC) process. The MPC process is executed by exchanginginformation between the nodes, without revealing the key shares or theentire key. The nodes may communicate over the internet, a cellularnetwork, LAN, WAN or any other technique or protocol desired by a personskilled in the art.

At least one of the two nodes is controlled by an owner of theinformation. The owner may be a user or an entity that owns theinformation or is responsible for the information. Controlling the nodesmay be done manually using a user interface into which the user inputsdata or commands, or automatically using a software controlling the keyshares according to a predefined set of rules. For example, a first nodeis located in an online storage server, also defined as a cloud service,and the second node is located on a data center. The second node may becontrolled by an IT manager of the data center or by a software definedby the owner of the data center. The second node is controlled in amanner that enables changing an operation mode of the key share storedin the second node. Changing the operation mode includes disabling thekey share, shutting down the second node communication with the firstnode, deleting the key share or any other process, function or operationthat prevents performing an MPC process between the first node and thesecond node.

FIG. 1A shows two nodes storing key shares used to perform MPC, one nodeis stored on premise, a key share of one node is controlled, accordingto exemplary embodiments of the present invention. The first node 110and the second node 120 are stored in two distinct entities, at leastone of the entities is controlled by an owner of the data storedtherein. The first node 110 stores a key share 115 used to execute anMPC process 130 with the second node 120 using a second key share 125stored in the second node 120. Both key shares 115 and 125 are requiredto perform the MPC process 130. The first node 110 and the second node120 exchange information in a predefined manner in order to perform theMPC process 130 without sending the actual key shares to the other partyand without the entire key share ever being stored in a single entitywhen the key is generated, and when encrypting or decryptinginformation.

The first node 110 may be stored online, for example at an onlinestorage service such as Amazon Web Service (AWS). The second node 120may be stored in a data center owned by or controlled by the owner ofthe data. In some exemplary cases, both the first node 110 and thesecond node comprise storage units 112 and 122 respectively, configuredto store data owned by the same owner. In some exemplary cases, thesecond node 120 is controlled by the information owner while the firstnode 110 stored at the online storage service is not controlled by theinformation owner.

The operation mode of the second key share 125 may be controlled by asoftware operating on the second node 120, or on the entity in which thesecond node 120 is stored. In some exemplary cases, the operation modeof the second key share 125 may be controlled via commands inputted intoa user interface of a remote device 140, for example a tablet computercommunicating with the second node 120 via the internet, LAN, WAN or anyother technique desired by the person skilled in the art. The remotedevice 140 may receive information concerning usage of the key shares,identify behavioral irregularities and generate a command to change thekey share mode of operation until the situation is cleared, on whetherthere is a breach or not. Such process may be performed internallywithin the second node 120, or in a computerized application operatingin the entity in which the second node 120 resides.

FIG. 1B shows two nodes storing key shares used to perform MPC, bothnodes are stored in the cloud, a key share of one node is controlled,according to exemplary embodiments of the present invention.

FIG. 2 shows a controlled node storing a key share used for an MPCprocess, according to exemplary embodiments of the subject matter. Thecontrolled node 200 may be the second node as disclosed below. Thecontrolled node may be stored in a data center. The controlled node 200is configured to perform an MPC process with another node residing in adistinct computerized entity, both the controlled node and the othernode store shares of a cryptographic key. The controlled node 200 mayperform the MPC process with multiple different non-controlled nodesthat reside in another entity, for example in two different cloudstorage services.

The controlled node 200 comprises a key share storage 240 configured tostore a key share. The key share is created when splitting thecryptographic key. The key share is not revealed to another entity, andthe entire key is never reconstructed when encrypting and/or decryptinginformation using the MPC process. Encrypting and decrypting may beperformed on information stored on the entity that contains thenon-controlled node cooperating with the controlled node 200 or on theentity containing the controlled node 200 when executing the MPCprocess. The key share storage 240 may be a volatile or non-volatilememory unit, for example may be stored in a memory address of thecontrolled node 200 or in a memory device connected to the controllednode 200.

The controlled node 200 comprises an MPC module 210 configured toperform the MPC process with the non-controlled node. The MPC processmay result from a command or request for information, said request orcommand may be generated by the controlled node 200 or from thenon-controlled node. The MPC module 240 is configured to execute apredefined set of operations, for example mathematical or logicaloperations, and send information to the non-controlled node according tothe predefined set of operations. The set of operations may be stored ina memory address accessed by the MPC module, the memory address may bein the internal memory of the controlled node 200 or in a memory deviceconnected to the controlled node 200.

The controlled node 200 comprises a communication module 220 configuredto communicate with the non-controlled node when performing the MPCprocess. The communication module 220 may also communicate with anexternal device, for example an administrator's device, configured toenable or disable use of the key share. The communication module 220 maycomprise a messaging server configured to receive messages and analyzethe received messages. The communication module 220 may comprise aninternet gateway configured to enable transmission and receipt ofmessages via the internet, for example commands inputted by the datacenter administrator via a dedicated website. The communication module220 may comprise a wireless transceiver configured to send and receiveinformation with the non-controlled node during the MPC process, forexample via a cellular network. The communication module 220 may useWAN, LAN, a wired communication and the like. The communication module220 interacts with the MPC module 210 when performing the MPC processwith the non-controlled node.

The controlled node 200 may also comprise a log storage 230 configuredto store logs of share key usage. The logs may include use property suchas usage time, requestor identity, properties of the data encrypted ordecrypted such as type, location of the stored data and amount of datastored and additional properties as desired by the person skilled in theart. In some exemplary cases, the log storage 230 may reside outside thecontrolled log 200, for example in an administrator device or in aremote server accessible to the administrator. In such a case, usage ofthe key share is known to the MPC module 210 and to the communicationmodule 220 that transfer the usage data to the remote server, ordirectly to the administrator's device, for example to a dedicatedapplication configured to store and analyze usage of the key share. Thecontrolled node 200 may also comprise a processing module 250 configuredto process the usage data stored in the log storage 230. The processingmodule 250 may have access to a predefined set of rules and compare theusage data as received, for example from the MPC module 210, with theset of rules. In case the processing module 250 identifiesirregularities, the processing module 250 may send a message to thecontrol unit 260 which changes the operation mode of the key share. Thecontrol unit 260 may receive a command from the administrator's deviceto change the operation mode of the key share. The control unit 260 maychange the operation mode by changing a configuration in the controllednode 200, by deleting a data item comprising the key share in a knownmemory address of the controlled node, by adjusting communicationproperties of the controlled node and the like. In some exemplary cases,the control unit 260 may change the operation mode of the key share inresponse to a predefined event, for example shut down or technicaldeficiencies in the non-controlled node. In some exemplary cases, thecontrol unit 260 may change a key share operation mode only with aspecific IP address of domain, or frequency band, when transmittingwireless signals from the controlled node 200.

FIG. 3 shows a method for controlling key shares in computerized nodes,according to exemplary embodiments of the subject matter. Step 310discloses performing an MPC process between the controlled node andanother node. The other node may be a controlled node or anon-controlled node. Both nodes exchange information over a network or awired cable when performing the MPC process, without sending the keyshare stored in each node. The MPC process is required to encrypt ordecrypt data stored in at least one of the nodes—the controlled node andthe other node.

Step 320 discloses storing usage log of the key share stored in thecontrolled node. The usage log may be stored in a memory address of thecontrolled node or in another device, as the controlled node may sendusage data of the key share to the other device. The other device may bea dedicated server, an administrator's device or any other device. Theusage log may be updated with every cryptography operation, orperiodically or in response to a process that requires the key share.The usage log is tamper proof since each usage of the second sharestored in the controlled node requires activating the communicationmodule which reports to the usage log module.

Step 330 discloses processing the usage log. Such processing may beperformed periodically, for example once per hour, or in response to anevent, for example detection of more than 500 uses of the key sharewithin 10 minutes. Processing the usage log may include comparing theusage log to a predefined set of rules. The rules may be stored in thecontrolled node, in the entity in which the node resides, or in a remotelocation. The output of the usage log processing may be transmission ofa message to a predefined address, for example the administrator'sphone, temporarily disabling communication from the node outwards,temporarily disabling usage of the key share, deleting the key share andthe like. The outcome of the processing stage may be sent to a controlunit residing in the controlled node, and the control unit will actuallychange the operation mode of the key share.

Step 340 discloses the control unit of the controlled log receiving acommand to change an operation mode of the key share. The command may bereceived via a secured protocol. The command may be received from anadministrator device and may require the administrator to input a secretin order for the control unit to process the command. The command may begeneral, for example disable the key share, or may be specific, andspecify how to disable the key share, as elaborated below.

Step 350 discloses the control unit of the controlled log modifying thekey share operation mode. Modifying the operation mode comprisesdisabling the MPC process between the controlled node and the othernode. Modifying the key share operation mode may include multipleoptions, for example disabling communication between the controlled nodeand the other node, preventing access to the memory address storing thekey share, deleting the key share or any other process or operationdesired by a person skilled in the art that prevents the MPC process.

Step 360 discloses enabling the MPC process between the controlled nodeand the other node. Such enabling may comprise restoring communicationwith the non-controlled node, re-configuring a memory in the controllednode and the like.

FIG. 4 shows a method for set up stage of the nodes, according toexemplary embodiments of the subject matter.

Step 410 discloses initiating a pair of nodes. At least one of the twonodes may be stored in an online server, also defined as a cloudservice. Initiation of the pair of nodes may be excluded from whenmethod in case the method is applied on nodes already initiated.Initiation of the pair of nodes comprises allocating storage space foreach node, an IP address and a preferably handshake process between thenodes. In some exemplary embodiments, the nodes are shut down, rebooted,and an image of a known and malware-free hardened operating system iscopied into the nodes. After copying the malware-free operating system,a Transport Layer Security (TLS) communication channel is generatedbetween the nodes. In some exemplary cases, one node is controlled by aservice provider such as an online storage provider for example AWS andthe second node is a temporary node controlled by the customer, alsoresiding online, for example in the cloud service server for exampleresiding on the customer's data center and capable of communicating withthe first node.

Step 420 discloses copying the data stored at the temporarycustomer-controlled node to a customer controlled location, for examplethe customer's data center. Then, in step 430, the temporarycustomer-controlled node is deleted from the cloud.

Step 430 discloses initiating a second customer-controlled node in acustomer controlled location, for example the customer's data center, oron the cloud. The second customer-controlled node replaces the deletedcustomer-controlled node which was stored on the cloud server. Then, instep 435, communication is generated between the secondcustomer-controlled node and the non-controlled node. The termnon-controlled node also refers to a node not controlled by the owner ofthe data, for example a node controlled by a service provider such asAWS. Generating the communication may be performed using a TLS process.

Step 440 discloses setting up a computerized system comprising thenon-controlled node and the second customer-controlled node. Setting upthe computerized system comprising the two nodes may include rebootingthe nodes, copying a malware-free operating system into the two nodes,copying the data stored at the temporary customer-controlled node intothe controlled node and generating a Transport Layer Security (TLS)communication channel between the second customer-controlled node andthe non-controlled node.

Step 450 discloses the controlled node creating communication sockets,for example opens web sockets that allow communication between thecontrolled node and the non-controlled node. The communication socketsenable the non-controlled node to communicate with the controlled node3, while disabling the controlled node to initiate communicate with thenon-controlled node.

While the disclosure has been described with reference to exemplaryembodiments, it will be understood by those skilled in the art thatvarious changes may be made and equivalents may be substituted forelements thereof without departing from the scope of the invention. Inaddition, many modifications may be made to adapt a particular situationor material to the teachings without departing from the essential scopethereof. Therefore, it is intended that the disclosed subject matter notbe limited to the particular embodiment disclosed as the best modecontemplated for carrying out this invention, but only by the claimsthat follow.

The invention claimed is:
 1. A computerized system for controllingaccess to encrypted data, comprising: a first node, comprising a firstmemory storage configured to store a first share of a cryptographic keyand a communication module; and a second node, in communication with thefirst node, comprising a second memory storage configured to store asecond share of the cryptographic key, wherein the first share and thesecond share of the cryptographic key are required to perform acryptographic operation using a multiparty computation (MPC) process,wherein none of the first node and the second node has access to theshare of the cryptographic key stored in another node, and wherein thesecond node further comprises: a control unit configured to change anoperation mode of the second share from enable to disable, wherein thedisable operation mode prevents performing the cryptographic operationreceiving as input the first share and the second share of thecryptographic key using the MPC process, a log storage configured tostore operations that require the second share, a processing moduleextracting information from the log storage and configured to determineirregular use of the second share, multiple different shares ofcryptographic keys, each of the shares is configured to enabledecryption of data in a different node communicating with the secondnode, and wherein the processing module generates a process for changingthe operation mode of the second share from enable to disable upondetermination of the irregular use of the second share.
 2. The system ofclaim 1, wherein the first node is located on an online storage platformand the second node is located in a data center.
 3. The system of claim1, wherein the second node further comprises a management interfaceconfigured to enable a user of the system to input a command to changethe operation mode of the second share.
 4. The system of claim 1,further comprises a key share storage configured to store key shares ofmultiple containerized software modules requesting access from thesecurity server.
 5. A method, comprising: obtaining a first node and asecond node in communication with the first node, the first nodecomprises a first memory storage configured to store a first share of acryptographic key and a communication module, the second node comprisesa second memory storage configured to store a second share of thecryptographic key, wherein none of the first node and the second nodehas access to the share of the cryptographic key stored in another node,wherein the second node further comprises: a log storage configured tostore operations that require the second share, a processing moduleextracting information from the log storage and configured to determineirregular use of the second share, multiple different shares ofcryptographic keys, each of the shares is configured to enabledecryption of data in a different node communicating with the secondnode, and wherein the processing module generates a process for changingthe operation mode of the second share from enable to disable upondetermination of the irregular use of the second share; performing amulti-party computation (MPC) process between a controlled computerizednode and another node using the first share and the second share;receiving a command to change an operation mode of the key share fromenable to disable, wherein the disable operation mode preventsperforming the cryptographic operation receiving as input the firstshare and the second share of the cryptographic key using the MPCprocess; and changing the operation mode of the key share.
 6. The methodof claim 5, further comprises storing usage log of the key share storedin the controlled node.
 7. The method of claim 6, further comprisesprocessing the usage log and identify irregular behavior in key shareusage.
 8. The method of claim 6, wherein the command is received from anadministrator device receiving the usage log of the key share.
 9. Themethod of claim 5, wherein changing the operation mode of the key sharedisables the MPC process.
 10. The method of claim 5, wherein changingthe operation mode of the key share comprises disabling communicationbetween the controlled computerized node and the other node.
 11. Themethod of claim 5, wherein changing the operation mode of the key sharecomprises deleting the key share from a memory of the controlledcomputerized node.
 12. The method of claim 5, further comprises a set upstage of the first node and the second node.
 13. The method of claim 12,further comprises copying an image of a known and malware-free hardenedoperating system into the first node and the second node.
 14. The methodof claim 12, further comprises creating a temporary customer-controllednode and copying the data stored at the temporary customer-controllednode to a customer controlled location and creating a secondcustomer-controlled node.
 15. The method of claim 14, further comprisescopying the data stored at the temporary customer-controlled node to thesecond customer-controlled node.
 16. The method of claim 15, furthercomprises generating a Transport Layer Security (TLS) communicationchannel between the second customer-controlled node and thenon-controlled node.